icon Book Free Consultation

JWT_Tool

Image

A toolkit for testing, tweaking and cracking JSON Web Tokens

Demo

Lock image
 

Installation

  • git clone https://github.com/ticarpi/jwt_tool
  • python3 -m pip install termcolor cprint pycryptodomex requests

Features

  • Checking the validity of a token
  • Testing for known exploits:
    • (CVE-2015-2951) The alg=none signature-bypass vulnerability
    • (CVE-2016-10555) The RS/HS256 public key mismatch vulnerability
    • (CVE-2018-0114) Key injection vulnerability
    • (CVE-2019-20933/CVE-2020-28637) Blank password vulnerability
    • (CVE-2020-28042) Null signature vulnerability
  • Scanning for misconfigurations or known weaknesses
  • Fuzzing claim values to provoke unexpected behaviours
  • Testing the validity of a secret/key file/Public Key/JWKS key
  • Identifying weak keys via a High-speed Dictionary Attack
  • Forging new token header and payload contents and creating a new signature with the key or via another attack method
  • Timestamp tampering
  • RSA and ECDSA key generation, and reconstruction (from JWKS files)
  • ...and lots more!

Usage

  • python3 jwt_tool.py